White House team tackles identity management in the cloud

Jeremy Grant, senior executive advisor for identity management, NIST

The government's move online has been stymied over the last decade because it can't deploy the killer app. Why? Mainly because identity management hasn't gained the traction needed.

But a White House-led tiger team is trying to change that.

The working group is creating common requirements that all agencies could agree to around federated identity management in the cloud, said Jeremy Grant, the senior executive advisor for identity management at the National Institute of Standards and Technology and leader of the National Strategy for Trusted Identities in Cyberspace program office.

He said the tiger team also is fostering discussion to see where agencies share common interests in offering or using similar services.

"There are a lot of offerings agencies aren't able to put online because they can't solve the age-old identity conundrum of do you really know the person is who they say they are or are they just a dog on the Internet?" Grant said. "Sometimes for services, you don't care who the person is. But many agencies are finding they have one or two killer apps that they simply can't move online unless they deal with the identity conundrum."

Grant said creating a shared service using commercial identity authentication and verification standards, such as Open ID, could finally give agencies the confidence to put the killer app online.

Online transactions missing from initiatives

The Bush administration created dozens of websites under the e-government initiatives, but none offered the ability to do online transactions.

The Obama administration has been pushing for agencies to focus on citizens by making it easier to find information. The White House is asking Congress for reorganization authority and launched the BusinessUSA.gov site to consolidate multiple business-related portals.

But few, if any, portals actually let citizens or businesses complete transactions, submit a form online or apply for benefits.

"Every agency has got that same issue today, if they can't finally figure how to deal with verification and identity those services can't be online," Grant said. "What a lot of agencies are now finding is the cost of building this infrastructure on their own can be quite significant. Relative to the idea of leveraging a single enterprise service that would be hosted in the cloud that would work on behalf of all of government could really be an easy button that would make it much simpler to put these services online."

The government has attempted several times over the years to create a federated identity management offering. The General Services Administration has had moderate success with the Federal Bridge, which focuses on using public-key infrastructure technology for high security needs.

NIH using Open ID standards

GSA also approved several vendors, such as Google, PayPal, Symantec and others, for Level 1 credentials, the lowest level-under the Federal Identity, Credential and Access Management (ICAM) framework.

But agencies still haven't flocked to require anything but usernames and passwords.

Grant said a handful of leading agencies, such as the National Institutes of Health, are showing that accepting third-party credentials isn't as difficult as one might think.

NIH has been testing the use of commercial identities for academics, researchers and others through the iTrust offering. Under iTrust, federal employees and non-feds can log onto five different systems, including the National Library of Medicine's PubMed biomedical research database and its electronic vendor invoicing system.

"While this was built originally for some NIH applications, the institute then started to allow other parts of HHS to ride off the infrastructure and some other agencies," Grant said. "It really shows there was a model for a shared services approach for credential authentication verification that you could set up an agency as a center of excellence to host it and others could leverage it. If any agency has paved the way for how this could be done, it's certainly NIH."

The National Cancer Institute also is using high levels of authentication to speed up drug trials.

OMB mandates use of third-party credentials

In addition to the NIH, the administration is promoting the use of third party credentials. Federal chief information officer Steven VanRoekel issued a memo in October requiring agencies to begin implementing technology to use third-party credentials.

Grant said the tiger team is building upon all of these efforts.

"A lot of the work is being done internally right now between the agencies, so I don't want to say too much other than in two or three months we should have a common set of requirements that actually developed," he said. "From there we would go forward with now that we've laid out what the objectives are of a service, how do we stand one up? I think right now there is quite a bit of work that needs to be done to sort out requirements before we take the next step."